Broadcom bnxt driver update under OPNsense

In general, the support of the hardware for the Open Source firewall OPNsense is dependent on the drivers that are supplied by the FreeBSD kernel. It may occur that there are new drivers from the manufacturer that are integrated later in FreeBSD kernel. For this reason, it is possible to install the driver manually if problems occur. This article explains the console message "HWRM_CFA_L2_SET_RX_MASK command returned RESOURCE_ALLOC_ERROR error" that may occur during the use of Broadcom network cards under OPNsense 25.4 (also involves the community edition OPNsense 25.1). It is shown how to update the driver under OPNsense Business Edition 25.4 (also valid for the community edition 25.1) so that the console message no longer occurs.

Problem description

This console message "HWRM_CFA_L2_SET_RX_MASK command returned RESOURCE_ALLOC_ERROR error" occurs during the use of Broadcom bnxt-driver-based network cards (for example the Broadcom P225p) and during the use of the latest OPNsense versions (community edition 25.1 and business edition 25.4) in connection with VLANs or link aggregations.

Affected components

The following components were used during the research to represent the problem:

• Supermicro H12SSW-NT (with 2x 1OG Broadcom BCM57416 onboard)
• Broadcom P225p (2x 25/10G PCIe NIC)

Solution

This problem can be currently solved by manual compilation of the current driver. With the future version of OPNsense 25.7, there will be a lot of improvements on the bnxt driver by updating the FreeBSD kernel.

New kernel with OPNsense 25.7

With the upcoming release of OPNsense 25.7, the kernel should be updated to FreeBSD 14.3-RELEASE according to the roadmap developers.^[1] (opnsense.org) This new kernel contains a lot of improvements for bnxt driver based network cards.^[2] (freebsd.org)

Manual compilation of bnxt driver

A specific problem solution can be made via manual compilation of the bnxt driver.

Performance of manual compilation and installation of bnxt driver

The following paragraph describes the manual compilation of the bnxt drivers under OPNsense business edition 25.4, which is also valid for OPNsense 25.1.

Preparation

Activate SSH at OPNsense firewall. This can be made in the webinterface via System --> Settings --> Administration.

Connection via SSH and installation of required components

The following steps are made via SSH connection to the OPNsense firewall:

pkg install git
cd /usr/
git clone https://github.com/opnsense/src
git checkout stable/25.1 (für Business Edition 25.4 passt dies ebenso)
cd /root

Downloading and unpacking driver

Download the driver and unpack it with the following command:

pkg install git
cd /usr/
git clone https://github.com/opnsense/src
git checkout stable/25.1 (für Business Edition 25.4 passt dies ebenso)
cd /root

Installation of driver

With the following command, the driver is compilated and instead of the driver supplied by the kernel.

make
cp if_bnxt.ko /boot/kernel/if_bnxt174.ko
cd /boot/kernel
mv if_bnxt.ko if_bnxt133.ko
mv if_bnxt174.ko if_bnxt.ko
reboot

Verification after restart

Please verify after restarting if the current model is used.

sysctl -a | grep dev.bnxt.0.iflib.driver_version
dev.bnxt.0.iflib.driver_version: 233.0.174.0

In this case, the update worked out and the driver version was updated from 233.0.133.0 to 233.0.174.0.

References

Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.